1. Page 1 Policy-Driven Systems for Enterprise-Wide Security Using PKI and Policies to build Trusted Distributed Authorization Systems Joe Pato Marco Casassa Mont Hewlett-Packard Labs Sep 18, 2000

2. Page 2 Business Model Business-to- Business Relationships between Service Providers and Enterprises on the Internet Internet B-2-B E-Services Service Provider EnterpriseUser

3. Page 3 Requirements Trust Management Establishment –Sustained Relationship Privacy –Enterprise Population –Individual’s Roles Customization –Local Policies –Enterprise Enforcement

4. Page 4 Requirements Performance Distributed Processing –Services –Policy Enforcement –Authorization Bandwidth Consumption –Reduced –Amortized

5. Page 5 Current Business Model User Enterprise Service Provider Internet B-2-B AuthorizationService Service Provider Policies Service Provider Policies Business Constraints Business Constraints Local Configuration Local Configuration Service Provider Policies Service Provider Policies Business Constraints Business Constraints Local Configuration Local Configuration PolicyEnforcement Point (PEP) PolicyEnforcement Operation E-Services Operation Operation Operation Operation

6. Page 6 Moving Towards High Level Symmetric Business Model Enterprise Service Provider User Internet PolicyDistribution Point (PDP) AuthorizationService OperationE-ServicesOperation Operation Operation Operation Service Provider Policies Service Provider Policies Business Constraints Business Constraints Local Configuration Local Configuration Service Provider Policies Service Provider Policies Business Constraints Business Constraints Local Configuration Local Configuration PolicyEnforcement Point (PEP) PolicyEnforcement AuthorizationService PolicyDistribution Point (PDP) Enterprise Policies Enterprise Policies PolicyEnforcement Point (PEP) B-2-B Policies

7. Page 7 Distributed Authorization Policy Driven Authorization (A)Symmetric Authorization Operation at both parties Policy Distribution Points Distribute across enterprises Policy Enforcement Points Both local and remote policies

8. Page 8 Business Model Simplifications Sustained Relationships Contracts Auditing and Monitoring Dispute Resolution

9. Page 9 Technology Problems Trust Establishment Tamper Resistant Policy Enforcement Point Verifiability of Identity of Involved Parties Verifiability of Policies sent across Enterprise Boundaries Instrumentation to Gather Evidence Archival of Evidence

10. Page 10 Role of PKI Verifiability for Business Relationships Digital certificates Certificate management “Tamper Proof” exchange of messages and policies Signed XML

11. Page 11 Policies Statements describing expected behavior for Systems Services People Formal Modeling High Level Specification Refined to programmatically enforceable data Abstraction suitable for sharing across enterprises

12. Page 12 Role of Policies Policies Describe authorization constraints Drive authorization decisions Are exchanged between Enterprises in a Distributed Authorization Framework

13. Page 13 Conclusion Distributed Authorization enhances privacy and performance for B2B interactions